Dionaea Honeypot Obfuscation - Avoiding service identification

Posted: 2016-01-02 by Admin

Since some days we work on a fork of the great Dionaea Honeypot. Dionaea is a low-interaction honeypot that captures attack payloads and malware by offering a variety of network services.

We modify some of its services to avoid identification by network scanners like: Nmap. All modifications below are in our repository on github https://github.com/devwerks/dionaea

We started a Intense scan with Nmap to see what services are identified and associated with Dionaea

nmap -T4 -A -v host
21/tcp open ftp Dionaea honeypot ftpd

We search for the String "Dionaea honeypot ftpd" in the file nmap-service-probes. There we can see that Nmap detects the Welcome Message send by the Dionaea FTP service. So we changed the message to show a ProFTPD server.

-		self.reply(WELCOME_MSG, "Welcome to the ftp service")
+		self.reply(WELCOME_MSG, "ProFTPD 1.2.8 Server")
443/tcp open https Dionaea honeypot httpd

The same procedure as above. We respond now with the protocol HTTP/1.1 instead of HTTP/1.0.

-		self.send("%s %d %s\r\n" % ("HTTP/1.0", code, message))
+		self.send("%s %d %s\r\n" % ("HTTP/1.1", code, message))

This should also work for Port: 80 http

SSL Certificate
Issuer: commonName=Nepenthes Development Team/organizationName=dionaea.carnivore.it/countryName=DE

This was not directly detected by Nmap, but it can be found by an attacker by reading the Nmap output.

-		MBSTRING_ASC, (const unsigned char *)"Nepenthes Development Team", -1, -1, 0);
+		MBSTRING_ASC, (const unsigned char *)"RapidSSL SHA256 CA", -1, -1, 0);
-		MBSTRING_ASC, (const unsigned char *)"dionaea.carnivore.it", -1, -1, 0);
+		MBSTRING_ASC, (const unsigned char *)"GeoTrust Inc.", -1, -1, 0);

We changed this to look like real Certificate.

How to use

To use dionaea, simply copy from https://github.com/devwerks/dionaea. The configuration is the same.

If you run into issues, feel free to get on touch on Twitter, check the current issues or create a new one. Patches are also welcome.